International standards can be leveraged to build trust in the Digital Single Market

In September 2017, the European Commission published a proposal for a Regulation on Cybersecurity (the ‘Cybersecurity Act’), which includes a section defining a regulatory framework for the cybersecurity certification of ICT products and services. Improved trust is key to delivering the Digital Single Market, but: to what extent does the proposed framework address real cybersecurity needs? and can existing structures and processes be better leveraged to improve security and build trust? These are some of the questions that were considered at OFE’s recent roundtable on Cybersecurity.

Following an introduction by Graham Taylor, the moderator of the event, MEP Catherine Stihler explained that in her view there is now an 18-month window to get the ‘Cybersecurity Act’ right. For her, it’s likely to prove much harder to accomplish the objectives of the Act if we have to wait until the next Parliament is elected in 2019. Reacting to this, Duncan Harris (V-P of Security Assurance at Oracle) underlined the overarching need for the establishment of a global security evaluation standard, so as to maximise the range of fully compliant products available to purchasers. Indeed, in a world of parallel country-specific standards, purchaser choice is reduced as a consequence of the inability of all but the very largest suppliers to achieve certification under even most, if not all, of the various specific national schemes.

Stefan Weisgerber (Head of Department, Digital Technologies at DIN) explained that standards have been of great value for the European market – they act in support of regulation and open markets. In this regard, he briefly sketched the so-called New Legislative Framework as a smart tool in support of EU regulation. Its ingredients are “essential requirements”, which are a regulatory prerequisite for market access, and harmonised European Standards, which underpin the essential requirements with detailed technical provisions. He considered that any new certification system should be built on this framework.

Following a debate with the audience, it was concluded that the Commission should not reinvent an existing international scheme. Moreover, it was suggested that the Commission should collapse the proposed three level certification hierarchy down to a single level; and should make clear the separation between legal requirements, standards and conformity assessments – as well as a link to international standards.